Date: Mon, 6 Jan 2003 11:32:45 -0600 From: Dan Nelson <dnelson@allantgroup.com> To: Jonathan Belson <jon@witchspace.com> Cc: Ceri Davies <setantae@submonkey.net>, freebsd-questions@FreeBSD.ORG Subject: Re: [Q] ipfw and 'me' Message-ID: <20030106173244.GA54032@dan.emsphone.com> In-Reply-To: <3E19BB9E.6010207@witchspace.com> References: <3E19B689.2090207@witchspace.com> <20030106171001.GA13668@submonkey.net> <3E19BB9E.6010207@witchspace.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Jan 06), Jonathan Belson said:
> Ceri Davies wrote:
> >On Mon, Jan 06, 2003 at 05:02:01PM +0000, Jonathan Belson wrote:
> >>I've just been looking into the 'me' option for ipfw:
> >>
> >>me matches any IP address configured on an interface in the
> >> system. The address list is evaluated at the time the
> >> packet is analysed.
> >>
> >> Since the machine is a gateway, it has two network cards. Will
> >> 'me' match *both* IP address or just the first one it comes
> >> across? I only really want it to match the IP address of the
> >> external interface, not the internal one.
> >
> > Both, I'm afraid.
>
> Hmm, I suppose since tests for IP spoofing through the external
> interface have already been carried out by that point, it isn't that
> much of a problem.
>
> Does the fancy-pants new IPFW2 allow more control for 'me'?
me is me. Maybe the "recv | xmit | via {ifX | if* | ipno | any}"
options will help? What exactly are you trying to allow/block?
--
Dan Nelson
dnelson@allantgroup.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030106173244.GA54032>